[TriLUG] DD-WRT Remote Vulnerability

Jim Tuttle jjtuttle at trilug.org
Wed Jul 29 09:38:52 EDT 2009 

From http://www.dd-wrt.com/dd-wrtv3/index.php

As reported at www.miw0rm.com there is a vulnerability in the
http-server for the DD-WRT management GUI that can be used for execution
of an exploit to gain control over the router.

Note: The exploit can only be used directly from outside your network
over the internet if you have enabled remote Web GUI management in the
Administration tab. As immediate action please disable the remote Web
GUI management. But that limitation could be easily overridden by a
Cross-Site Request Forgery (CSFR) where a malicious website could inject
the exploit from inside the browser.

We have fixed the issue and generated new builds of the latest DD-WRT
version. You can temporarily download the these files from here until we
did update the router database.
[UPDATE] We have integrated most of the fixed build files into the
router database. You can check there if files for build 12533 are
available for your router. If not (yet) please check the location
mentioned above to obtain the files.

The exploit can also be stopped, using a firewall rule: Go to your
router's admin interface to > Administration > Commands and enter the
following text:insmod ipt_webstr
ln -s /dev/null /tmp/exec.tmp
iptables -D INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT
--reject-with tcp-reset
iptables -I INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT
--reject-with tcp-reset press "Save Firewall" and reboot your router.
This rule blocks any attempt to access sth that has "cgi-bin" in the
url. You can verify that the rule is working by entering:
http://192.168.1.1/cgi-bin/;reboot in your browser. That should give a
"Connection was reset" (Firefox).

Important Note: This only works for non-https requests. if you have
HTTPS Management turned on under > Administration > Management > Remote
Access, then turn it off. If you don't want to turn it off, you only can
do an Update.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://www.trilug.org/pipermail/trilug/attachments/20090729/68f360a2/attachment.pgp>

More information about the TriLUG mailing list